Re: [webappsec] CSP META tag support - keep or remove?

On 27 March 2012 16:37, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 3/26/12 3:27 PM, Hill, Brad wrote:
>> * We have heard reports that the META tag is used to delay policy
>> enforcement: to pre-load some resources outside of CSP
>> restrictions, then inject it into a page to "lock it down".  If
>> this is to be a supported use-case, I think we need to update the
>> spec to make this very explicit.
>
> While sites might use that approach as a transitional device, I
> don't think it should be an explicitly supported use-case. The only
> safe way to use a <meta> policy is to put it first(-ish) in the
> document to minimize the risk of content injection that could negate it.

I was likewise kind of surprised this was used and reliable enough to
be even quasi-recommended or suggested, but not having tested it at
all, I didn't want to be the first to say so.

-tom

Received on Tuesday, 27 March 2012 21:01:34 UTC